OWASP · serek8 · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024
diff --git a/Document/0x05d-Testing-Data-Storage.md b/Document/0x05d-Testing-Data-Storage.md
@@ -588,19 +588,19 @@ Most third-party services are implemented in two ways:
 
 ### User Interface
 
-### UI Components
+#### UI Components
 
 At certain points in time, the user will have to enter sensitive information into the application. This data may be financial information such as credit card data or user account passwords, or maybe healthcare data. The data may be exposed if the app doesn't properly mask it while it is being typed.
 
 In order to prevent disclosure and mitigate risks such as [shoulder surfing](https://en.wikipedia.org/wiki/Shoulder_surfing_%28computer_security%29) you should verify that no sensitive data is exposed via the user interface unless explicitly required (e.g. a password being entered). For the data required to be present it should be properly masked, typically by showing asterisks or dots instead of clear text.
 
-### Screenshots
+#### Screenshots
 
 Manufacturers want to provide device users with an aesthetically pleasing experience at application startup and exit, so they introduced the screenshot-saving feature for use when the application is backgrounded. This feature may pose a security risk. Sensitive data may be exposed if the user deliberately screenshots the application while sensitive data is displayed. A malicious application that is running on the device and able to continuously capture the screen may also expose data. Screenshots are written to local storage, from which they may be recovered by a rogue application (if the device is rooted) or someone who has stolen the device.
 
 For example, capturing a screenshot of a banking application may reveal information about the user's account, credit, transactions, and so on.
 
-### App Notifications
+#### App Notifications
 
 It is important to understand that [notifications](https://developer.android.com/guide/topics/ui/notifiers/notifications "Notifications Overview") should never be considered private. When a notification is handled by the Android system it is broadcasted system-wide and any application running with a [NotificationListenerService](https://developer.android.com/reference/kotlin/android/service/notification/NotificationListenerService "NotificationListenerService") can listen for these notifications to receive them in full and may handle them however it wants.
 
@@ -610,6 +610,6 @@ Furthermore there are a number of apps on the Google Play Store that provide not
 
 For this reason all notification usage should be inspected for confidential or high risk information that could be used by malicious applications.
 
-### Keyboard Cache
+#### Keyboard Cache
 
 When users enter information in input fields, the software automatically suggests data. This feature can be very useful for messaging apps. However, the keyboard cache may disclose sensitive information when the user selects an input field that takes this type of information.
diff --git a/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0224.md b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0224.md
@@ -0,0 +1,37 @@
+---
+platform: android
+title: Sensitive Data Not Excluded From Keyboard Caching
+id: MASTG-TEST-0224
+type: [static]
+weakness: MASWE-0053
+---
+
+## Overview
+
+This test checks whether the target app prevents the caching of sensitive information entered into text fields. The keyboard may suggest previously entered text when typing in any app on the device.
+
+The following attributes, if present, will prevent the caching mechanism for text inputs.
+
+| XML `android:inputType` | Code `InputType` | API level |
+| -- | --- | - |
+| [`textNoSuggestions`](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=the%20performance%20reasons.-,textNoSuggestions,-80001) | [`TYPE_TEXT_FLAG_NO_SUGGESTIONS`](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=TYPE_TEXT_FLAG_NO_SUGGESTIONS. "Text input type") | 3 |
+| [`textPassword`](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=_SUGGESTIONS.-,textPassword,-81) | [`TYPE_TEXT_VARIATION_PASSWORD`](https://developer.android.com/reference/android/text/InputType#TYPE_TEXT_VARIATION_PASSWORD "Text password input type") | 3 |
+| [`textVisiblePassword`](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=_URI.-,textVisiblePassword,-91) | [`TYPE_TEXT_VARIATION_VISIBLE_PASSWORD`](https://developer.android.com/reference/android/text/InputType#TYPE_TEXT_VARIATION_VISIBLE_PASSWORD "Text visible password input type") | 3 |
+| [`numberPassword`](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=_DECIMAL.-,numberPassword,-12) | [`TYPE_NUMBER_VARIATION_PASSWORD`](https://developer.android.com/reference/android/text/InputType#TYPE_NUMBER_VARIATION_PASSWORD "A numeric password field") | 11 |
+| [`textWebPassword`](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=_ADDRESS.-,textWebPassword,-e1) | [`TYPE_TEXT_VARIATION_WEB_PASSWORD`](https://developer.android.com/reference/android/text/InputType#TYPE_TEXT_VARIATION_WEB_PASSWORD "Text web password input type") | 11 |
+
+Android apps can use XML or code to create the UI. Many apps use both techniques simultaneously. So you should test both. After unpacking the APK with @MASTG-TOOL-0011, the XML files are in `/res/layout` directory. You can search for the code attributes with @MASTG-TOOL-0018.
-Android apps can use XML or code to create the UI. Many apps use both techniques simultaneously. So you should test both. After unpacking the APK with @MASTG-TOOL-0011, the XML files are in `/res/layout` directory. You can search for the code attributes with @MASTG-TOOL-0018.
+Android apps can use XML or code to create the UI. Many apps use both techniques simultaneously. So you should test both. After unpacking the APK with @MASTG-TOOL-0011, the XML files are in `/res/layout` directory. You can search for the code attributes with @MASTG-TOOL-0018.
+
+For more information you can consult the MASTG section about ["Keyboard Cache"](../../../Document/0x05d-Testing-Data-Storage.md#keyboard-cache).
-Android apps can use XML or code to create the UI. Many apps use both techniques simultaneously. So you should test both. After unpacking the APK with @MASTG-TOOL-0011, the XML files are in `/res/layout` directory. You can search for the code attributes with @MASTG-TOOL-0018.
+Android apps can use XML or code to create the UI. Many apps use both techniques simultaneously. So you should test both. After unpacking the APK with @MASTG-TOOL-0011, the XML files are in `/res/layout` directory. You can search for the code attributes with @MASTG-TOOL-0018.
+
+For more information you can consult the MASTG section about ["Keyboard Cache"](../../../Document/0x05d-Testing-Data-Storage.md#keyboard-cache).
+
+## Steps
+
+1. Statically search for the above XML attributes with @MASTG-TOOL-0011
+
+2. Statically search for above code attributes with @MASTG-TOOL-0018
+
+## Observation
+
+The output should indicate whether the app uses no-caching attributes.
+
+## Evaluation
+
+The test case fails if any of the text fields in your app accepts sensitive data but do not use no-caching attributes. If the app doesn't use the no-caching attributes at all, this may indicate that it doesn't provide any keyboard caching prevention.
diff --git a/tests/android/MASVS-STORAGE/MASTG-TEST-0006.md b/tests/android/MASVS-STORAGE/MASTG-TEST-0006.md
@@ -8,6 +8,8 @@ title: Determining Whether the Keyboard Cache Is Disabled for Text Input Fields
 masvs_v1_levels:
 - L1
 - L2
+status: deprecated
+covered_by: [MASTG-TEST-0224]
 ---
 
 ## Overview